Firezone is an open-source, zero-trust access platform designed to replace traditional VPNs with a modern, granular approach to remote network access. Built on WireGuard®, it provides secure, peer-to-peer encrypted tunnels with sub-10ms latency and up to 5 Gbps throughput per connection. Unlike legacy hub-and-spoke VPNs, Firezone eliminates centralized routing overhead and enforces least-privilege access through group-based policies that control access to specific applications or subnets. It’s ideal for DevOps teams, security-conscious organizations, and remote-first companies seeking a secure, high-performance alternative to OpenVPN or ZeroTier. The platform includes a full-stack architecture with an Elixir-based admin UI, Rust-based data plane components (gateway, relay, and clients), and cross-platform native apps for macOS, iOS, Android, Windows, and Linux.
What You Get
- WireGuard®-based performance - Firezone leverages the WireGuard protocol to deliver 3–4x faster throughput than OpenVPN with sub-10ms latency and up to 5 Gbps per connection, thanks to its lightweight Rust data plane.
- Zero-trust access policies - Enforce granular, least-privileged access to applications and subnets using group-based rules, ensuring users only reach what they’re explicitly authorized for.
- Peer-to-peer tunneling - Connections are established directly between clients and resources via hole-punching, eliminating the need to route traffic through a central server for privacy and performance.
- Multi-provider SSO integration - Authenticate users via email, Google Workspace, Okta, Entra ID (Azure AD), or any OIDC-compatible identity provider with automatic user and group sync.
- Multi-gateway scalability - Deploy multiple gateways for automatic load balancing and failover, enabling seamless scaling without single points of failure.
- Audit logs and compliance - Full activity logging for up to 90 days, with SOC 2 Type I and II compliance available in the managed cloud offering.
- Cross-platform clients - Official native clients for macOS, iOS, Android, ChromeOS, Windows, and Linux built with Swift, Kotlin, and Rust for consistent user experience.
- Self-hostable (non-production) - Full source code available under Apache 2.0 and Elastic 2.0 licenses, allowing self-hosting for educational or hobby use via the monorepo’s elixir/ and rust/ directories.
Common Use Cases
- Building a remote workforce infrastructure - A company with 200+ distributed employees uses Firezone to provide secure, fast access to internal tools (Jira, CI/CD pipelines, databases) without exposing them to the public internet.
- Migrating from OpenVPN - An IT team replaces a legacy OpenVPN setup with Firezone, reducing connection latency by 70% and eliminating the need for complex firewall rules due to Firezone’s zero-trust model.
- DevOps teams managing microservices - Engineers use Firezone to securely access Kubernetes clusters and internal APIs in staging environments without opening ports or managing static IPs.
- Compliance-sensitive organizations - Financial services teams use Firezone’s audit logs and SSO integration to meet SOC 2 requirements while enabling secure access for auditors and contractors.
- Small teams needing a self-hosted alternative - A startup deploys Firezone on a single VM to provide secure remote access to their internal services, using the open-source gateway and CLI client for development environments.
Under The Hood
Firezone is a secure, multi-platform networking solution that enables zero-trust remote access by combining Elixir-powered backend services with a Rust-based GUI client and Android mobile app. It emphasizes modular design, real-time communication, and flexible policy enforcement across distributed environments.
Architecture
Firezone follows a layered, domain-driven architecture that cleanly separates backend, frontend, and mobile components to support independent development and deployment.
- The system uses a multi-tiered structure with well-defined boundaries between API services, UI layers, and mobile functionality
- Core Elixir modules are organized around distinct domains like authentication, billing, and gateway management for improved maintainability
- Design patterns such as dependency injection and strategy-based flows help decouple components and support extensibility
- Event-driven workflows and pubsub mechanisms ensure loose coupling between frontend, backend, and mobile layers
Tech Stack
Firezone leverages a diverse tech stack centered on Elixir and Rust, integrating modern web frameworks and cross-platform tools.
- Built primarily in Elixir for backend services and Rust for performance-critical UI components, with React-based frontend powered by Tauri and Next.js
- Relies on Phoenix for web development, Tailwind CSS and Flowbite for styling, and Tauri for cross-platform desktop app support
- Uses Vite, ESLint, and TypeScript to enhance frontend development and type safety, with Mix for task automation and testing
- Integrates Elixir’s ExUnit and custom build scripts to support CI/CD pipelines and comprehensive test coverage
Code Quality
Firezone demonstrates a mature testing approach with an emphasis on integration and functional validation across its components.
- The test suite is comprehensive, covering key business logic and data constraints to ensure reliability and correctness
- Error handling is consistently applied across Elixir and JavaScript layers using standard try/catch patterns
- Code style and conventions are reasonably consistent, though some technical debt suggests opportunities for enhanced modularity
- Linting and type safety practices are in place, supporting maintainability and reducing runtime errors
What Makes It Unique
Firezone distinguishes itself through its innovative blend of secure networking and flexible policy control across multiple platforms.
- A modular architecture enables decoupling of core networking logic from UI layers, supporting independent scaling and deployment
- Elixir’s OTP and Phoenix are leveraged for real-time session management and policy-driven access control in distributed setups
- Extensive support for multi-cloud and hybrid environments is enabled through customizable gateway integrations and cross-platform clients
- A declarative configuration model provides fine-grained control over network policies and user access, enhancing flexibility for administrators